Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing List
subject: default_context file Date: Sun, 3 Nov 2002 19:47:15 +0100
I've don't understand the new default_context file. Could anybody explain
it? I understand the entries for login and ssh, but the line for the crond
I to stupid.
Thanks Carsten -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Russell Coker <russell_at_coker.com.au> subject: Re: default_context file Date: Mon, 4 Nov 2002 00:48:49 +0100
Actually the new setup for cron seems less capable than the old. For example in the old setup I could setup an account bofh to have context bofh:user_r:user_crond_t for cron even though that user may be authorised for multiple roles. If a hostile user manages to create a crontab file for the user then under the old system the cron job just wouldn't be run because it would be in the wrong context. Under the new system the cron job would be run under the UID of the victim user but with the security context of the attacking user, if the attacking user is not permitted to change UID then this can give access to the UID of the victim user which may allow undesired access. So I think that the new system is easier to setup, but offers less control. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: carstengrohmann_at_gmx.de subject: Re: default_context file Date: Mon, 4 Nov 2002 09:48:29 +0100 (MET)
> On Sun, 3 Nov 2002 19:47, Carsten Grohmann wrote: -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen! -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Russell Coker <russell_at_coker.com.au> subject: Re: default_context file Date: Mon, 4 Nov 2002 09:55:56 +0100
The type of the file used to store the user's crontab will be uniquely determined by the domain that they are using when they run the "crontab -e" command. There should be only one context that will match that file type defined in the policy database. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen D. Smalley <sds_at_epoch.ncsc.mil> subject: Re: default_context file Date: Thu, 7 Nov 2002 15:15:01 -0500 (EST)
> I've don't understand the new default_context file. Could anybody explain The daemons (crond, sshd) and login ask the in-kernel security server to compute the set of legal SIDs for the user that can be reached from their own SID, and then uses the optional /etc/security/default_contexts and $HOME/.default_contexts files to determine a default when multiple SIDs are possible. crond is a little different than sshd and login since it also has a special case for system cron jobs. A partial context in a default_contexts file is ignored if it doesn't exist in the set of legal SIDs returned by the security server. -- Stephen Smalley, NSA sds@epoch.ncsc.mil -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen D. Smalley <sds_at_epoch.ncsc.mil> subject: Re: default_context file Date: Thu, 7 Nov 2002 15:21:21 -0500 (EST)
> From: Russell Coker <russell@coker.com.au> I'm not sure I follow you. crond still performs a check between the user context that will be used for the cron job process [obtained by asking the security server for a set of legal SIDs for the user that can be reached from crond's SID and then ordering based on default_contexts] and the file context on the crontab spool file. The crontab spool file is still labeled based on the context of the creating process using a type transition rule. If a hostile user in one domain manages to insert a crontab file for another user who is authorized for a different domain, the cron jobs from that crontab file still won't be executed in that other domain. -- Stephen Smalley, NSA sds@epoch.ncsc.mil -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Russell Coker <russell_at_coker.com.au> subject: Re: default_context file Date: Thu, 7 Nov 2002 22:52:08 +0100
After further consideration I agree with you that this is OK. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
|
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |